In my previous column I offered a rationale for XKMS as an important web service, and I looked at reducing the problem of implementing such a service to a reasonable size. This time we'll build the infrastructure necessary to develop and deploy an XKMS registration server that can issue certificates and which is intended for use within an enterprise.
Our server will need an SSL certificate and private key. Since it will be signing certificates for others, it will also need a CA certificate and private key; that is, a certificate that says it is allowed to create certificates. We could follow the standard process and just buy our SSL certificate from the reigning monopoly, or we could create a quick "snake-oil" certificate for demonstration purposes. It turns out that it only takes a modest effort to do something real, however; doing that will be the focus this month.
Public Key Infrastructure and Hierarchy
In this exercise we're going to build an enterprise-quality public key infrastructure. We'll then use one of the certificates to create a server that uses SSL. Our hierarchy will look like this:
ROOT CA
|
+-- Level 1 CA
|
+-- SSL Certificate(s)
|
+-- XKMS Server CAThe root will sign the Level 1 CA and then be taken offline. Anyone who wants to validate any identity within our organization only needs to have our root certificate. If the enterprise merges or joins a commercial PKI (such as Identrus), then we only need to get the root certificate signed by our new "super root".
We'll only create one Level 1 (L1) CA, although for a large organization we might want to create one for each division or geographic boundary. The L1 CA's are used to issue certificates to our application servers and to the SSL certificates which they use. If the applications are being used outside the enterprise, then we might want to have a commercial SSL CA sign those SSL certs.
Each of the three CA's follow the same directory structure:
NAME-ca
+-- .rand
+-- serial
+-- index.txt
+-- certreq.pem
+-- cert.pem
+-- key.pem
+-- certs
+-- 01.pem, 02.pem, ...
+-- crl.pem
+-- crls
+-- old CRL's ...The .rand, serial, and index.txt
files are used by OpenSSL to maintain state when generating keys and issue
certificates; each cert will be copied to the certs
directory, with a filename generated from the serial number. The actual
cert is in cert.pem, and the private key is in
key.pem; we'll discuss the risks of that later. In order to
make it easy to get our CA's recertified, we'll keep a copy of the
original request in certreq.pem.
For naming, we'll use the Country, organizationName, organizationUnit,
and commonName components (or, rather, "C", "O", "OU", and "CN"). If
there's an emailAddress, we'll move it to the subjectAltName
extension, and not put it in our DN. We'll require that everything have
the same C and O components. We'll also require that the certificates our
XKMS Server generates must have an emailAddress.
The OpenSSL configuration file for this hierarchy can be found in xkms.conf. A script to create the directory
tree can be found in setup-pki-part0. The
script can be run with a single argument, --restart, to
remove an old configuration. It will also ask for the country and
organization names, and it will build a certificate request template used
by the other scripts. After running setup-pki-part0, you can
edit the req.conf file it generates.
If you want to build the service in a directory other than
/opt/xkms, you'll have to edit both files. Both that
directory and the /opt/xkms/openssl directory must exist
(with appropriate permissions) before doing anything else. Copy both
files to the /opt/xkms/openssl directory.
Creating the PKI
The next step is to create the root CA keypair and use the key to create a self-signed certificate. Following that, we'll create a Level 1 CA and have the root sign the L1 certificate. This is done with the setup-pki-part1 script.
Most items are protected by one safeguard. For example, a private key is protected by a password. From the security viewpoint, if we can double that, we have accomplished a great deal. I encourage you to actually try the steps described below, to get a feel for good security practice.
To create the first two CA's, you'll need at least three volunteers and the administrator of the Level 1 CA. Two volunteers will be used to prevent the root private key from being compromised, and the third watches the behavior of the first two. We'll protect the root key with a password; one volunteer will get the password, and the other will get the key. (In my organization, the password was kept in a sealed envelope with other confidential Personnel files, and the key was written to a CD which was sent to our lawyer. We then scrubbed the disk.)
In addition to protecting the company, this type of two-part safeguard also protects you. No matter what happens, it's impossible for you to falsely issue certificates. You don't have the key, you don't have the password, and the third volunteer watched to make sure that the other two put their items into safe escrow.
Running the ``part 1'' script, you see output like the following:
**
** GENERATING ROOT KEYPAIR
**
Generating a 2048 bit RSA private key
......................................................+++
.....+++
writing new private key to '/opt/xkms/openssl/root-ca/key.pem'
Enter PEM pass phrase:Have the first volunteer type a password, they will then have to verify it. They need to write it down on a piece of paper, fold it, and hold onto it. Next you should enter the fields for the root CA name:
Country Code [US]:
Organization Name [XKMS Service]:
Organizational Unit (eg, department) []:
Common Name (i.e., name of person or server) []:
Email Address []:Now the root will sign its own certificate. Have the first volunteer enter the password again.
Now we generate the Level 1 CA. Whoever is in charge of that should enter the password. You should then enter the name:
Country Code [US]:
Organization Name [XKMS Service]:
Organizational Unit (eg, department) []:
Common Name (i.e., name of person or server) []:Level 1 CA
Email Address []:level1@example.comNow the first volunteer will have to enter the root password, look at
the certificate, and decide to sign and commit it. At this point, we no
longer need the root. Give the key,
/opt/xkms/openssl/root-ca/key.pem, to the second volunteer.
Have the third volunteer walk the first one to the storage place, and
watch them seal the envelope and put the password away. The third
volunteer then repeats the process with the second volunteer and the
private key.
More from Rich Salz |
You can see why this is called a key signing ceremony. In order to sign a new certificate, it's necessary for each volunteer to bring their piece to the signing machine, watch the operation, and take their parts away. This shows one of the paradoxes about PKI: the more valuable the certificates, the harder it is to sign things. The paradox is that if the CA has to issue a revocation list (CRL), it's a lot of work and long time can pass. XKMS (among other mechanisms) address this.
We'll skip the details of running setup-pki-part2. This ceremony is much less inolved: it requires only those running the Level 1 CA and the XKMS Server to be present. Just remember that the common name should be the name of the server host for the SSL and XKMS certificates.
server.py implements a small Python
server that listens on local port 9999 using the SSL certificate we just
created. Use a browser to connect to a URL like
https://localhost:9999/foo. You can then walk-through the
security and certificate settings, seeing references to the PKI you just
created.
Next month we'll begin implementing the web service.
Have you developed PKI web services? Share your experience in our forum.
(* You must be a member of XML.com to use this feature.)
Comment on this Article
| Titles Only | Titles Only | Oldest First |
- Building a Security Infrastructure
2004-02-22 06:24:23 Pete ODonnell [Reply]
Building the SSL certificate fails, at least on RH9 using the latest kernel build and the most up to date openssl version. The reason is that it tries to make two certificates with the same number. I am not an expert but I don't think its allowed and I have no solution to the problem.
- Building a Security Infrastructure
2004-03-31 08:16:12 Rich Salz [Reply]
You are most definitely *not* allowed to re-use serial numbers. Perhaps you don't have permission to update the "serial.txt" and/or "db.txt" files?
- Building a Security Infrastructure
- Locks Installation Locksmith Los Angeles 1-323-678-2704
2009-06-30 18:35:56 carpetcare [Reply]
Locks Installation Locksmith Los Angeles 1-323-678-2704
Specials Access Control
Automotive Lockout, Cabinet & Locker Locks and Hardware, CodeLock Pushbutton Locks, Cylinders
Deadbolt Style Gate Locks, DigiLock, Digital Locker Locks, Digital Pushbutton Locks
Door Closers, Door Locks, Electromagnetic Locks, Electronic Hardware, Exit Hardware
Gate Locks and Weldable Gate Boxes, Government Locks, High Security Locks
Hospital Push/ Pull Locks, IEI Digital Pushbutton Locks, Key Blanks, Key Cabinets & Key Storage
Key Cutters, Key Tags and Key Rings, Key Towers, Knob and Lever Gate Locks, Locker Locks
Locksmith Tools and Equipment, Manufactures Line Items, Misc Hardware, Misc Locking Devices
Padlocks, Patio Door Locks, Picks and Pick Sets, Pins and Pinning Kits, Pushbutton Gate Locks
Pushbutton Locks, Re-Keying Locks, Safes, Schlage, Schlage Pushbutton Locks, Simplex Parts
Simplex Pushbutton Lock, Simplex, CodeLock, Trilogy Locks, Trilogy Digital Pushbutton Locks
Von Duprin, Window Locks, Mul-T-Locks, Baldwin Locks, Kwikset Locks, Mortise Locks, Dexter Locks.
Locksmith services Los Angeles, including locks installation, doors locks repair, doors locks rekey, locks and keys products or services the best value and commitment to customers 100 satisfaction guaranteed.
On this website you can find local los angeles locksmith in your area.
Commercial Locksmithing, Specializing in: Banks Office, Apartment Building, New Homes, Condominiums, Retail Stores, Banks Industrial Facilities, Locks and Padlocks, Pharmacies Grocery Stores, Restaurants, Retail stores, Schools, Storage Warehouse.
Service includes Lockout, locked out need locksmith fast response, Deadbolt Locks repair installation Changed, Installed & Repaired, Re-keys & Master Key Systems, rekey ddors locks, High Security Locks Systems, Home Security Safes, Intercom Systems Repair & Installation, Fire Proof Panic Bars Repaired & Installed, Peephole Installation, High Security Cylinder Changed & Re-Keyed, Closed Curcuit Television CCTV, Card Access Control Systems, Panic Lock Devices, Safes,Windows,Glass Doors & Gates, Padlock, Combination Lock, Electronic Key, Magnetic Keys, Electronic Keypad and Keyless Entry, File Cabinet & Lock Picking.
Residential Locksmithing, Specializing in: Levers Entrance Sets Keypad Locks Deadbolts,
Knobs and Levers Entrance Sets Deadbolts,
Levers Knobs Entrance Sets Hardware Deadbolts,
Knobs and Levers Entrance Sets Deadbolts.
master key, deadbolts, Knobs sets, Hardware, Weiser Locks, Locksets, Knobsets, Handlesets, lock kits Cam Cabinet Locks Door Closers Key Blanks Key Cabinets Key Rings Padlocks Pushbutton Locks garage door openers mailbox locks cylinders and high security locks, keyless Entry, Key Cutting & Key Replacement, Emergency Vehicle Opening, Emergency Trunk Opening, Extraction of Broken Keys Locksmith, GM VAT Keys Duplication, High Security Vehicle Key Duplication Locksmith, New Ignition key and Transponder Chip Key. that fit your lifestyle.
Automobile Locksmith for Car lockout Truck opening Re-key all doors Ignition keys made on-site Transponder keys made on-site Ignition replacement.
Locks Installation Locksmith Los Angeles 1-323-678-2704
- Locksmith Lockout Rekey Install Repair Los Angeles ca 1-310-925-1720
2009-06-30 18:37:31 carpetcare [Reply]
Locksmith Lockout Rekey Install Repair Los Angeles ca 1-310-925-1720
- Local Locksmith Los Angeles 1-323-678-2704
2009-06-30 18:39:56 carpetcare [Reply]
Local Locksmith Los Angeles 1-323-678-2704
Find Locksmith in Los Angeles CA by Zip Codes and city. 90001,90002,90003,90004,90005,90006,90007,90008,90009,90010,90011,90012,90013,90014,90015,90016,90017,90018,90019,90020, 90021,90022,90023,90024,90025,90026,90027,90028,90029,90030,90031,90032,90033,90034,90035,90036,90037,90038,90039,90040, 90041,90042,90043,90044,90045,90046,90047,90048,90049,90050,90051,90052,90053,90054,90055,90056,90057,90058,90059,90060, 90061,90062,90063,90064,90065,90066,90067,90068,90070,90071,90072,90073,90074,90075,90076,90077,90078,90079,90080, 90081,90082,90083,90084,90086,90087,90088,90089,90091,90093,90094,90095,90096,90097,90099,90101,90102,90103,90174,90185
Agoura 91301 Agoura Hills 91376 Agoura Hills Agoura Hills 91301 Agoura Hills 91376 Agoura Hills
91377 Oak Park Arleta 91331 Pacoima 91334 Pacoima Calabasas 91302 Calabasas 91372 Calabasas
91399 Camarillo 93010 Camarillo 93011 Camarillo 93012 Camarillo
Canoga Park 91303 Canoga Park 91304 Canoga Park 91305 Canoga Park 91306 Winnetka 91396 Winnetka
91307 West Hills 91308 West Hills 91309 Canoga Park
Canyon Country 91351 Canyon Country 91386 Canyon Country 91387 91390
Chatsworth 91311 Chatsworth 91312 Chatsworth 91313 Chatsworth
Encino 91316 Encino 91416 Encino 91426 Encino 91436 Encino Granada Hills 91344 Granada Hills
91394 Granada Hills Lake View Terrace 91342 Lake View Lakeview 91342 Sylmar 91392 Sylmar
Mission Hills 91345 Mission Hills 91346 Mission Hills 91395 Mission Hills
North Hills 91343 North Hills 91393 North Hills North Hollywood 91601 North Hollywood
91602 North Hollywood 91603 North Hollywood 91604 Studio City 91605 North Hollywood
91606 North Hollywood 91607 Valley Village 91608 Universal City 91609 North Hollywood
91610 Toluca Lake 91611 North Hollywood 91612 North Hollywood 91614 Studio City
91615 North Hollywood 91616 North Hollywood 91617 Valley Village 91618 North Hollywood
Northridge 91324 Northridge 91325 Northridge 91326 Northridge 91327 Northridge 91328 Northridge
91329 Northridge 91330 Northridge 91343 North Hills Pacoima 91331 Pacoima
91333 Pacoima 91334 Pacoima Panorama 91402 Panorama City 91412 Panorama City Panorama City
91402 Panorama City 91412 Panorama City Porter Ranch 91326 Northridge 91327 Northridge
Reseda 91335 91337 Reseda San Fernando 91340 San Fernando 91341 San Fernando
Sherman Oaks 91401 Van Nuys 91403 Sherman Oaks 91411 Van Nuys 91413 Sherman Oaks
91423 Sherman Oaks 91495 Sherman Oaks Studio City 91602 North Hollywood 91604 Studio City
91607 Valley Village 91614 Studio City Sun Valley 91352 Sun Valley 91353 Sun Valley
Sunland 91040 Sunland 91041 Sunland Sylmar 91342 Sylmar 91392 Sylmar Tarzana 91335
91356 Tarzana 91357 Tarzana Thousand Oaks 91319 Newbury Park 91320 Newbury Park 91358 Thousand Oaks
91359 Westlake Village 91360 Thousand Oaks 91361 Westlake Village 91362 Thousand Oaks
91363 Westlake Village Tujunga 91042 Tujunga 91043 Tujunga 91401 Van Nuys
Valley Village 91601 North Hollywood 91607 Valley Village 91617 Valley Village
Van Nuys 91316 Van Nuys 91388 Van Nuys 91401 Van Nuys 91402 Van Nuys 91403 Van Nuys
91404 Van Nuys 91405 Van Nuys 91406 Van Nuys 91407 Van Nuys 91408 Van Nuys
91409 Van Nuys 91410 Van Nuys 91411 Van Nuys 91412 Van Nuys 91413 Van Nuys
91416 Van Nuys 91423 Van Nuys 91426 Van Nuys 91436 Van Nuys 91470 Van Nuys
91482 Van Nuys 91495 Van Nuys 91496 Van Nuys 91497 Van Nuys 91499 Van Nuys
West Hills 91304 91307 West Hills 91308 West Hills Westlake Village 91359 Westlake Village
91361 Westlake Village 91362 Thousand Oaks 91363 Westlake Village Woodland Hills
91302 Calabasas 91303 Canoga Park 91364 Woodland Hills 91365 Woodland Hills
91367 Woodland Hills 91371 Woodland Hills 91372 Calabasas 91399 Woodland Hills
Offering complete locksmith services. We open any lock lockout, Rekeying locks, supply, fit, replace and repair all types of lock, ensuring the security of your premises and providing you with peace of mind. We service clients of all sizes as well as private householders, our clients include local authorities, schools, hotels and companies, large and small. However large or small your job, we can offer a competitive price. call 1-323-678-2704
